[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF questions

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: PF questions
From: "Arne P. Boettger" <apb_(_at_)_wohnheim_(_dot_)_fh-wedel_(_dot_)_de>
Date: Mon, 28 Oct 2002 11:42:17 +0100

Hi,

> is there finally a way to make an ACL based on MAC address? I want all 
> of our machines have internet access but I don't want anyone to bring 
> any of their home laptops and figure out the ip configuration and browse 
> the net etc. 

No, it's not possible, and you probably shouldn't do this. If the
employees aren't complete morons, they'll soon figure out how to 
change their MAC-Adress. 
It's better to use a tool like arpwatch to monitor MAC<->IP-Adress
mappings and coincidentally show up to tell them that what they do
is against the company policy and could cost them their employment
<evil grin>

> Also "content-filtering" isn't working in pf either, is it?.. (as in drop 
> every packet that contains root.exe for example)

That's not really possible because there are endless different ways
to encode root.exe to finally find a way that's not filtered.
Your best bet would be an application-proxy, but that's as far as I
know beyond openBSD's scope.

Ciao, Arne.
-- 
 ,``o. OpenBSD        -        Debian GNU/Linux        -        Solaris  >o)
>( ,c@ GPG 1024D/913C2F81 2000-10-11  Arne P. Boettger <apb_(_at_)_createx_(_dot_)_de>  /\\
 ',,,' Fingerprint = 6ED9 9A64 CD8A EB6F D841  0391 2F08 8F86 913C 2F81 _\_V

Prev by Date: Re: no "flags x"? [CVS: cvs.openbsd.org: src]
Next by Date: Re: no "flags x"? [CVS: cvs.openbsd.org: src]
Previous by thread: Re: Version???
Next by thread: [RESEND] pf - How to determine IN vs OUT on interface
Index(es):
- Date
- Thread

Visit your host, monkey.org